维表智联系统生成
ReviewAudited by ClawScan on May 11, 2026.
Overview
This appears to be a legitimate Dimens system-planning skill, but real execution can use API keys to change projects, data, reports, canvases, and permissions.
Before installing, confirm you actually want the agent to plan and potentially execute Dimens workspace changes. Use limited-scope credentials, verify the `dimens-cli` installation, ask for a plan before execution, review any create/update/delete/permission commands, and be careful with public views or role changes on sensitive business data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with powerful credentials, the agent or CLI can act within the user's Dimens account and workspace according to that user's permissions.
The skill requires API Key/API Secret login and stores a reusable token locally for subsequent account actions. This is purpose-aligned for Dimens automation, but it is sensitive delegated account access.
dimens-cli auth api-key-login ... --api-key ak_xxx --api-secret sk_xxx ... 成功后 CLI 会把返回的 `token` 写入本地 profile
Use least-privilege API keys, confirm the target team/project before running commands, avoid sharing secrets in chat or logs, and revoke or clear local tokens when no longer needed.
Mistaken execution could alter or remove business data, change visibility, or grant/restrict access in a Dimens project.
The documented CLI workflows can update/delete documents and change roles, permissions, and row policies. These are expected for a system-orchestration skill, but they are high-impact operations if run against the wrong IDs or without review.
`doc update` ... `doc delete` ... `role create -> permission create -> role assign-user -> row-policy create`
Require explicit user confirmation for mutations, review IDs and affected resources, prefer small reversible changes, and use the documented read-before-write and post-change verification steps.
A user may need to install or rely on an external CLI that is not bundled or verified by this skill package.
The skill's execution path depends on `dimens-cli`, but the package is instruction-only and the registry metadata lists no required binaries or install spec. This is not suspicious by itself, but the external CLI provenance matters.
只要 `dimens-cli` 已覆盖对应能力,方案和执行步骤优先推荐 `dimens-cli` 命令行;... 必须先用 `dimens-cli auth api-key-login`
Install `dimens-cli` only from the official Dimens source, verify its version and documentation, and do not run copied commands with real credentials until the CLI is trusted.